UDP Port Traffic Filtered on PFS. Host Cannot connect with their firewall on.
-
Not familiar with TeamSpeak. Sounds like something you're trying to forward ports inbound from the Internet for? In that case, packet capture on WAN filtering on the port in question that doesn't work, attempt to connect, stop the capture and see if it gets there. If so, switch to LAN and try again. Every possible reason port forwards won't work is outlined here:
http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting -
Common Problems
1. NAT and firewall rules not correctly added (see How can I forward ports with pfSense?). Hint: You probably do NOT want to set a source port.
2. Firewall enabled on client machine.
3. Client machine is not using pfSense as its default gateway.
4. Client machine not actually listening on the port being forwarded.
5. ISP blocking the port being forwarded
6. Trying to test from inside your network, need to test from an outside machine.
7. Incorrect or missing Virtual IP configuration for additional public IP addresses.
8. The pfSense router is not the border router. If there is something else between pfSense and your ISP, you must also replicate port forwards and associated rules there.
9. Forwarding ports to a server behind a Captive Portal. You must add an IP bypass both to and from the server's IP in order for a port forward to work behind a Captive Portal.So there it is #2 the problem, But where is the FIX? am I not reading close enough ??
-
Then the fix depends on the client firewall in question and has nothing to do with pfSense. You'll have to fix the client firewall in that case. Usually the source machine's firewall isn't an issue, but rather the destination machine's host firewall, but it's possible to be either/or/both.
-
It is all windows machines that are having the issue connecting. Maybe I wasn't clear in the update I put but the issue is on machines with or without the firewall turned on and they are all Windows 7 or 8 machines. I have never run into this issue with any other router/firewall dist. that I have used before.
Please can I get some more detailed information in regards to the issue. In the most simple way I can explain it this is the run down.
Clients connect to a "VOIP" style server (It's called TeamSpeak, Its just a voice chat for online gaming)…The server runs off of 3 Ports, 2 TCP 1 UDP , The ServerQuery is listening on port 10011 (TCP) and file transfers will use port 30033 (TCP)...The voice data itself listens on 9987(UDP) <---This port you can change to be whatever you want to open on your box. With the 1 "Server" Program running this can host as many Virtual servers as you wish. So you can have 100 UDP Ports for 100 Servers, Really doesn't matter.
I have changed my NAT Rules so many times now that I don't think a screenshot will do any justice as I have changed the config so many ways NOTHING has worked 100% , It's many intermittent issues (As one being FW being an Issue for some users and others not )
Please, I need for the port to listen on UDP and accept ALL Traffic on that port from WAN and LAN. Please can someone provide a rule, or a screenshot or a CLI command.
Thank you again, Rob.
-
here is a packet capture of 2 device that are unable to connect, one from the cloud , the other local…I have tried NAT and FW rules for both the range of udp ports i see required, all udp ports , ALL ports.. and I still end up with the same packet capture...something is being filtered..any input?
-
I have a similar setup actually, and have hosted a teamspeak server without an issue. I even have the same netgear wireless router. I wouldn't suggest opening 10011 to the public, as the listening service is SQL-lite and as well all know, SQL is the glory hole to the internet. If you use a web-widget or whatever to show who is on your teamspeak server, I would restrict access to 10011 to that 1 specific site's IP. Which you will need to contact the webhost to see what IP their quarries are sent out from. Been down that road too ;-P
I have my DD-WRT configured a little differently. Because I do not need all four of the switch ports on the DD-WRT, my OPT-1 (LAN in your case) connects to 1 of the four switch ports instead of the WLAN. I've disabled every service possible (DHCP, DNS etc…) on the DD-WRT so it's merely a switch / access point.
All NAT should be handled by your Pfsense box, the dd-wrt should not be firewalling or doing NAT. Double NAT will make your life suck when troubleshooting.
-
..just did exactly as you said…still having issues.....im so confused ....
like that screenshot I posted is hosted off the same box...so im almost 99% sure its something to do with just udp filtering but what!! lol :(
-
Have you tried taking the dd-wrt out of the equation? So it's just modem > pfsense > pc? Even though you've tried both with and without the windows firewall, you should continue testing with windows firewall turned off.
I'm pretty confident it's nothing to do with pfsense, I'm able to host a TS server without an issue. I can even host one when I get home for you just to verify.
Another troubleshooting idea, see if a local machine can connect to your TS server. If this still fails at least you've narrowed down the issue to the server and not pfsense.
-
the DDWRT is acting strictly as a switch, it's been taking out of the topology for shits and giggles, makes no difference. windows firewall on or off , no difference , i setup a 3rd nic on the pfsense box, setup rules all over again , change servers hosting Teamspeak, and it doesn't matter. It refueses the connection from the cloud only for some clients, my mobile phone being one of them.. yet it works for 1 person randomly.. everything works great with local ips.
-
Did you turn on logging for the ts3 firewall rule, then check the logs to see if the firewall is reacting to the rule? If nothing yields, then go into the log settings and enable logging for packets blocked by the default rule. Do you have any packages installed on pfsense? Have you tried using packet capture under diagnostics via pfsense? (diag_packet_capture.php) (I think CMB recommended this as well but you didn't say if you had tried it or not)
If you want I can export my firewall configuration (minus some details naturally) for you to look over. Maybe setup a virtual machine and load it to compare settings. I did not have to disable anything to get teamspeak working, no UDP filtering buttons to turn off etc…
*Also, could you post a screenshot of your NAT and Rules pages?